Countering the Path Explosion Problem in the Symbolic
Execution of Hardware Designs
Kaki Ryan
University of North Carolina
Chapel Hill, NC, USA
Abstract—Symbolic execution is a powerful verification tool for hard-
ware designs, but suffers from the path explosion problem. We introduce
a new approach, piecewise composition, which leverages the modular
structure of hardware to transfer the work of path exploration to
SMT solvers. We present a symbolic execution engine implementing the
arXiv:2304.05445v1 [cs.CR] 11 Apr 2023
technique. The engine operates directly over register transfer level (RTL)
Verilog designs without requiring translation to a netlist or software
simulation. In our evaluation, piecewise composition reduces the number
of paths explored by an order of magnitude and reduces the runtime by
97%. Using 84 properties from the literature we find assertion violations
in 5 open-source designs including an SoC and CPU.
Index Terms—verification, formal methods, hardware, security
I. I NTRODUCTION
The verification of hardware designs is a key activity for ensuring
the correctness and security of a design early in the hardware
lifecycle. Current best practice includes assertion-based verification
(ABV) [1], which has simulation-based testing as the underlying
means of verification, and formal verification techniques, an umbrella
term encompassing many techniques with the goal of proving a given
property of a design. One technique in particular that has gained
recent attention, especially in security verification applications, is
symbolic execution [2] [3] [4].
Symbolic execution generalizes testing by replacing input values
with symbols, where each symbol represents the set of possible values
of the input parameter. A symbolic execution engine drives symbolic
execution using the semantics of the program’s language, but updated
to include symbols. As execution proceeds the symbols are used
in place of literal values. The result of symbolically executing a
design for one clock cycle is a tree of paths, each one associated
with a unique path condition that describes the conditions satisfied
by branches taken along the path. If any path is found to violate a
given assertion, then the associated path condition acts as a precise
description of the inputs that will drive (concrete) execution along
the same path; concrete values that satisfy the path condition are a
counter-example to the assertion.
Unfortunately, symbolic execution suffers from the path explosion
problem – each path through a design is explored separately and
the number of paths grows exponentially with the number of branch
points, or control flow statements, in the design. Prior work has
sought to avoid the path explosion problem by combining symbolic
execution with model checking [5], concrete execution traces [4], or
by limiting the use to small designs [6].
We introduce piecewise composition, a technique that leverages the
structure of hardware designs to transfer the problem to the domain
of satisfiability modulo theories (SMT) solving so that the number
of paths to symbolically explore grows exponentially with only the
number of branch points in any one always block, and linear in the
number of always blocks in the design. In this way we reap the
benefits of recent advances in SMT, while maintaining the usability
of having individual path information at the register-transfer level
(RTL).
Cynthia Sturton
University of North Carolina
Chapel Hill, NC, USA
Symbolic execution is closely related to symbolic simulation [7]
[5] [8]. In both, concrete input values are replaced with symbolic
values, representing any possible value, and how the symbolic values
propagate through the design is tracked. However, there is a key
difference. In symbolic simulation, the analysis is centered around
dataflow. At the end of a simulation run, each signal may hold the
value true, false, or a boolean expression characterizing the entire
circuit that drives that particular signal. Where there are control points
in the circuit, they are expressed as ITE statements in the boolean
expression. In symbolic execution, the analysis is centered around
control flow. At the end of one iteration, each signal is characterized
by an expression in first-order logic that characterizes the particular
path taken through the Verilog RTL. In addition there is a path
condition that represents the conditions under which execution would
follow the particular path through the design.
There is a trade-off to be made between the complexity of queries
sent to the SMT solver (symbolic simulation) and the number of
paths to explore (symbolic execution). With piecewise composition,
we examine a new point in the design space, reducing the number
of paths to explore to a tractable amount, while still keeping SMT
queries simple enough for modern solvers. The result is a symbolic
execution engine that can handle large designs and operate directly
over Verilog at the register-transfer level.
Piecewise composition works by recognizing that independent
parts of a design do not need to be re-explored, once per root-
to-leaf path. The algorithm symbolically explores each independent
block of Verilog once, without consideration of the remaining blocks,
producing a set of symbolic execution trees. To reconstruct full root-
to-leaf paths, whether for finding assertion failures, describing how
information flows through a design, or to generate testcases, we
can use SMT queries to combine the independently explored path
fragments.
Perhaps surprisingly, we show that for a design with N always
blocks, each with at most b binary branch points, symbolic execution
of the design for a single clock cycle requires symbolically executing
O(2b N) paths, instead of the O(2bN ) paths typical of symbolic
execution. The number of paths to explore grows exponentially with
only the number of branch points in any one independent block, and
linearly with the number of blocks.
We apply piecewise composition to symbolically explore five open-
source designs, including SoC and CPU designs, to find assertion
violations in the design. Using 84 assertions from the literature, we
find that on average, piecewise composition reduces runtime by 97%
compared to conventional symbolic execution techniques without loss
of efficacy.
This paper presents the following contributions: (1) Introduction
and definition of piecewise composition, a technique that leverages
the modular nature of hardware designs to counter the path explosion
problem in symbolic execution. (2) Design and implementation of a
symbolic execution engine for Verilog RTL using piecewise composi-
tion. (3) Evaluation of piecewise composition and our implementation
on five open-source SoC and CPU designs.
II. BACKGROUND
We provide a review of the general techniques of symbolic
execution and SMT solving, and describe key aspects of the Verilog
hardware description language.
A. Symbolic Execution
In symbolic execution [9], concrete literals are replaced with
symbolic values: input values are made symbolic and a symbolic
execution engine “executes” the design, keeping track of the current
execution state at each line of code. The execution state has two main
components: the symbolic store σ and the path condition π:
1) σ , the symbolic store maintains mappings between program
variables and symbolic expressions.
2) π, the path condition is a boolean formula over symbolic
expressions describing the conditions satisfied by branches
taken along the current path. The path condition is always
initialized to True.
As the symbolic execution engine executes each line of code,
using symbols in place of literal values wherever they appear, the
engine updates the symbolic state. When a branching statement with
condition b is reached, the path condition π is checked. If π → b,
the then branch is taken. If π → ¬b, the else branch, if present,
is taken. If neither implication holds, then both branches must be
explored in turn, forking the current path into two separate paths to
explore. To explore the path following the then branch, the path
condition π is updated: π := π ∧ b. To explore the path following the
else branch, the path condition is updated: π := π ∧ ¬b. At each
branch point, the number of paths to explore doubles. This is the path
explosion problem, and typically heuristics or merging strategies [5],
[10], [37] are used to guide the exploration to maximize coverage or
depth.
The complete exploration of a hardware design corresponds to a
single clock cycle of execution. Hardware executes continuously and
latent security vulnerabilities may only become clear many clock
cycles after the initial state. This requires symbolically executing
the design for multiple clock cycles, adding to the path explosion
problem.
Importantly, our symbolic execution engine operates directly over
the Verilog RTL without translating to C or compiling down to
the netlist. This allows for greater human-readability of any found
assertion violations – the path taken and the constraints over inputs
will be directly traceable through the RTL design. Our symbolic
execution engine is cycle accurate. We assume no combinational
latches, no asynchronous resets, and always blocks are conditioned
on input clocks. These assumptions are in keeping with prior work
in this area [5].
B. Constraint Solving
Boolean satisfiability (SAT) solvers are decision procedures that
take in a propositional formula and determine if there is an as-
signment of boolean values that will make the formula evaluate to
true. SAT modulo theories (SMT) solvers generalize SAT solving
by supporting theories that are more expressive and can capture
more functionality than simple atomic propositions. Examples in-
clude supporting array operations and supporting linear arithmetic.
SMT solvers have become quite powerful and are able to handle
expressions with hundreds of variables. However, SMT solving is
still an NP-complete problem.
SMT solvers are crucial to symbolic execution both in checking
feasibility of paths as the engine progresses, and in generating
assignments to symbolic variables for a found path, e.g., to produce
a test-case. Some of the most widely used solvers are STP [11] (used
in KLEE [13]) and Z3 [12] (used in Mayhem [14] and angr [15]).
C. Verilog
Verilog is a hardware description language and is the industry
standard for developing real-world computer systems. A basic unit of
design in Verilog is a module. Modules often contain other modules,
making the design hierarchical. A module combines multiple sub-
modules by making the output signals of one module connect to
the input signals of a second module, with connection wires and
registers in between. Verilog has several constructs that allow data to
flow differently than a sequential-only software program would. For
example, multiple modules composed in parallel are truly executing
in parallel. Within a module, an always block is used to define a
set of events that only happen under certain conditions. For instance,
assignment statements that are only to be executed at a clock’s rising
or falling edge. The statements within a sequential always block
are all executed in parallel, and two different always blocks operate
in parallel.
III. P IECEWISE C OMPOSITION
Symbolic execution has two main costs: the time required to
simulate execution and update the symbolic store for each line of
code, and the time required to determine whether both branches are
feasible at each branch point in a path. Both parts are costly, but
recent advances in SMT solving have cut the cost to deciding branch
feasibility, whereas the costs to symbolically execute an instruction
have remained relatively stable.
In conventional symbolic execution, each line of code is potentially
visited multiple times, once for each path explored. Our approach
is to aggressively decompose the design into independent blocks,
symbolically explore each block once, then use an SMT solver to
compose path conditions and symbolic stores from each block. This
strategy is made possible by the inherent modular nature of hardware
designs, and lets us leverage the relative speed of modern SMT
solvers compared to the cost of symbolically executing lines of code.
The result is a complete (logical) tree of paths through the design.
While the number of paths in the full tree is exponential in the number
of branches in the design, the symbolic execution engine explores a
number of paths exponential in only the number of branches in any
single independent block and polynomial in the number of blocks.
A. Motivating Example
Figure 1 shows a code snippet with two always blocks and branch
points at lines 2 and 9. The corresponding control flow graph with
an arbitrary ordering of the always blocks is given in Figure 2a,
and the tree of paths through the design is given in Figure 2b. With
conventional symbolic execution, each of the four root-to-leaf paths
in Figure 2b is symbolically executed. This is the strategy taken by
current approaches (e.g., [3], [39]) that translate a design into a C++
representation and then use the KLEE symbolic execution engine.
But, the two subtrees rooted at a node labeled 9 represent repeated
work. For each subtree, the symbolic execution engine was exploring
the paths through the same block of code: the second if-else block
starting at line 9.
The branching condition and assignments in lines 2–5 are inde-
pendent of the branching condition and assignments in lines 9–12.
Regardless of which path is taken at the first branch (line 2), the

1 always @ ( posedge clk ) begin
2 i f ( g0 )
3 x <= inpA ; / / inpA i s an i n p u t s i g n a l
4 else
5 x <= 0 ;
6 end
7 h2, 3ia :
8 always @ ( posedge clk ) begin
9 i f ( g1 )
10 y <= inpB ; / / inpB i s an i n p u t s i g n a l
11 else
12 y <= 0 ;
13 end
Fig. 1: Verilog code example with two branches.
(a) Control flow graph (b) Full tree of paths
(c) Trees of paths to be independently explored under
piecewise composition
Fig. 2: Piecewise Composition
symbolic execution starting at the second branch point (line 9) will
produce the same sub-tree. The feasibility of paths of the second
condition will be the same, and updates to the symbolic state will be
the same. For example, let inputs inpA and inpB be initialized with
symbolic values α and β , respectively, and assume the gating signals
g0 and g1 have symbolic values γ0 and γ1 at this point in the code.
For the path in which both branches are taken (nodes h2, 3, 9, 10i in
the symbolic execution tree), the symbolic store at the end of the
path would be σ = {x := α, y := β } with path condition π = γ0 ∧ γ1 .
For the path in which the first branch is not taken, but the second one
is (h2, 5, 9, 10i), the symbolic store at the end of the path would be
σ = {x := 0, y := β } and the path condition is π = ¬γ0 ∧ γ1 . In both
paths, the updates to y are the same, despite the different updates to
x.
B. Piecewise Composition
With piecewise composition, the symbolic execution engine ex-
plores independent blocks of the RTL separately, producing inde-
pendent trees of path fragments. In the above example, piecewise
composition results in the two trees produced in Figure 2c. The
symbolic execution engine now explores the second if-else block
only once. Continuing with our example, piecewise composition will
separately explore the two always blocks, producing the following
four path fragments (labeled a through d) with associated path
conditions and (partial) symbolic stores:
σa = {x := α}, πa = γ0
h2, 5ib : σb = {x := 0}, πb = ¬γ0
h9, 10ic : σc = {y := β }, πc = γ1
h9, 12id : σd = {y := 0}, πd = ¬γ1
To find full paths through the design and to successfully find
assertion violations, all realizable combinations of path fragments are
composed with the help of an SMT solver. For example, to realize
path h2, 5, 9, 10i, the symbolic execution engine queries the SMT
solver to find whether the two path fragments, h2, 5i and h9, 10i can
be joined: isSAT(x = 0 ∧ ¬γ0 ∧ y = β ∧ γ1 ). In this simple example,
all four combinations of path fragments are possible, but in general
that will not always be the case. If, for example, the gating signals
g0 and g1 both took their values from the same input, and were
therefore constrained to always have the same value, the SMT solver
would find that paths h2, 5, 9, 10i and h2, 3, 9, 12i were unrealizable.
An important result of piecewise composition is that it is sound:
all composed paths that are realizable correlate to replayable paths
through the full design. The satisfying solutions returned by the SMT
solver can be provided as inputs to the design in the starting reset
state and will result in execution (either in simulation or running on
an FPGA) following the corresponding path.
C. Comparison with Backtracking and Caching
Piecewise composition shares some similarities with backtracking
and caching, two techniques often used in software symbolic ex-
ecution engines (e.g., KLEE [13], Angr [15]). But, there are key
differences. Backtracking reduces repeated work by maintaining state
at each point in a path and allowing two paths with a shared
prefix to reuse the saved state. For example, If path h2, 3, 9, 10i
has been explored, then when the engine explores path h2, 3, 9, 12i,
backtracking allows the engine to reuse the saved state at point 9 and
continue exploration from there. Backtracking prevents re-exploring
path h2, 3i for each of h9, 10i and h9, 12i; piecewise composition
also prevents this re-exploration. However, with backtracking, paths
h9, 10i and h9, 12i will be re-explored to create the paths starting
with prefix h2, 5i; this re-exploration is prevented by piecewise
composition.
Caching queries reduces the time spent in the SMT solver by
reusing the results from prior queries. Caching queries is a technique
orthogonal to piecewise composition. Using the two techniques
together could further reduce runtime.
IV. A S YMBOLIC E XECUTION E NGINE WITH P IECEWISE
C OMPOSITION
Mechanically, the symbolic execution engine achieves piecewise
composition by decomposing a design into partitions: one partition
to contain all combinational logic in the design, one partition for
all register declarations, and a set of N partitions, one per always
block, to handle the sequential logic in the design. Each partition is
fully symbolically explored once per clock cycle, with the exception
of the combinational logic partition, discussed next in Section IV-A.
 Each of the N sequential always block partitions are explored
independently of the other always blocks, and the exploration
produces a set of path fragments. The complete exploration of the
full design produces N sets, one per always block. The set of full
root-to-leaf symbolic execution paths through the design is formed
by taking the cross-product of the N sets of path fragments. The SMT
solver is used to ensure only those combinations that are sound – that
correspond to true paths through the design – are kept.
A. Combinational Logic
The symbolic execution engine will check for any combinational
latches, and if any appear, will exit with an error. Otherwise, the
tool symbolically executes each combinational logic statement in the
partition and then begins to symbolically execute the control flow
paths through each always block. As each block is executed the
engine keeps track of a dirty bit for each signal, which gets set to 1
when the signal is updated. Once a path has been completed, every
assign statement in the combinational logic partition for which
the right-hand side involves a dirty signal is re-evaluated, in order.
During this re-evaluation, the engine continues to track when signals
become dirty. Additionally, conditional continuous assignments using
the ternary operator are characterized as ITE statements rather than
branch points when they are evaluated during this phase.
B. Sequential Logic
Each sequential always block is explored independently. This
approach is sound if the always blocks are truly independent – the
path condition and symbolic state of the various paths through one
block are the same regardless of the paths taken through other blocks.
In the following we discuss the issue of independence in more detail.
Consider two sequential always blocks, B0 and B1 , both blocks are
triggered on the rising edge of the input clock signal. (The choice
of which clock edge is used is irrelevant, but it is assumed that both
blocks trigger on the same edge of the same clock signal.)
Independence In the simplest case, none of the variables that
appear in B0 appear in B1 . The two blocks are independent and,
within a single clock cycle, the execution of one block has no bearing
on the execution of the second block. (Recall that two sequential
always blocks can be thought of as executing in parallel.) The two
blocks can be explored separately and their paths can be composed in
any order. This case is rare, however, as an input reset signal typically
appears in all or most blocks.
Read-read dependence In the next case, the same variable may
appear in a branch condition or right-hand side of an assignment in
both B0 and B1 . The two blocks can still be explored separately
and their paths can be composed in any order. However, some
combinations of paths may not be feasible, as variables that appear
in branch conditions in both blocks, say b0 and b1 , respectively, will
preclude the combination of paths from B0 in which b0 holds with
paths from B1 in which b1 holds when b0 ∧ b1 is unsatisfiable.
Read-write dependence In the next case, a variable may appear
in a branch condition or on the right-hand side of an assignment in
B0 and on the left-hand side of an assignment in B1 . When non-
blocking assignments are used, updates to variables in B1 take effect
in the next clock-cycle, whereas reads and conditional branches in
B0 are using variable values as set in the previous clock cycle. The
symbolic execution engine keeps the appropriate value and there is
no conflict. The two blocks can be explored separately and their paths
can be composed in any order. Our tool does not support the use of
blocking assignments within sequential always blocks.
Write-write dependence In the final case, variables appear on the
left-hand side of an assignment in both always blocks. This violates
best practice in Verilog design. The symbolic execution engine will
check for any instances of write-write dependence, and if any appear
will exit with an error.
C. Multiple Clock Cycles
The symbolic execution of a hardware design for one clock cycle
produces a tree where the root node represents the design in the
reset state or initial state, and each each leaf node corresponds to
a “next-state” at the clock-cycle boundary. To explore a design for
two clock cycles would mean exploring the design again, once for
each leaf node of the tree constructed during clock cycle 0. This
time exploration would begin not at the reset state, but rather at the
state indicated by the given leaf node of the prior cycle. At the end
of each single clock-cycle exploration, there is a merging process in
which all of the input signals and combinational wires are given fresh
symbols while stateful elements carry over their expressions from the
previous cycle.
D. Further Optimizations
1) Repeat Submodules
When the modules are duplicate instantiations of the same module
there is room for reduction in the total search space. The main idea
of the optimization is similar in spirit to piecewise composition in
that we explore each submodule once for each path. Then instead
of re-exploring again for each repeat instantiation, we can merge in
the symbolic store and path condition for the given root-to-leaf path
using SMT queries.
2) Cone of Influence Analysis
This optimization prunes the exploration space at the block level.
The symbolic execution engine will read in the expressions supplied
in the assertions, perform a dependency analysis over the signals
in the assertions and then complete an AST traversal to determine
which blocks read from or write to the signals of interest or their
dependencies. After this initial pass, the engine will only explore
blocks that involve the signals of interest or their dependencies.
V. I MPLEMENTATION
Our symbolic execution engine is built in python 3.8 and im-
plements the Verilog semantics according to the IEEE 1364-2005
standard. We use the pyVerilog library to build the Verilog AST and
we use networkX to manage graph search and traversal. We use the
Z3 python API for SMT solving. The symbolic execution engine
takes in a design written in Verilog, including the assertions written
according to the SystemVerilog 1800-2017 standard, and outputs
replayable counterexamples.
VI. E VALUATION
We evaluate our implementation over five open-source designs,
including CPU and SoC designs, to study its viability as a platform
for the verification of hardware designs. Our evaluation considers
the following questions: 1) How well does piecewise composition
counter the path explosion problem? 2) What effect do piecewise
composition and the optimizations described in Section IV-D have on
performance? 3) Can the symbolic execution engine produce assertion
violations with replayable counter-examples for buggy and vulnerable
designs?
A. Dataset and Experimental Setup
We collected five designs and 84 security critical assertions from
several sources. The first three designs and associated assertions came
from the Security Property/Rule Database available on TrustHub [16],
[17]: an enhanced version of the Serial Peripheral Interface avail-
able on Motorola’s MC68HC11 family of CPUs; openMSP430,
a synthesizable 16-bit microcontroller core compatible with Texas
Instruments’ MSP430 microcontroller family; and a CrypTech True
Random Number Generator (TRNG). For each of these designs, the
database included 9, 2, and 2 security properties, respectively.
The fourth design is the PULPissimo SoC used in a recent
Hack@DAC competition [18]. The design is buggy; some of the
bugs were inserted manually by the organizers of the competition and
others were native to the design [19]. Using the English description of
the properties, as well as the walkthrough of the test-case generation
in the RTL-ConTest paper [4] we developed 26 assertions for use
with our tool.
The fifth design is the OR1200 processor core. We collected
30 security-critical bugs from two prior papers, SPECS [20] and
SCIFinder [21] and 70 security assertions from SPECS [20], Security
Checkers [22], SCIFinder [21], and Transys [23].
The experiments are performed on a machine with an Intel Xeon
E5-2620 V3 12-core CPU (2.40GHz, a dual-socket server) and 62G
of available RAM.
B. Mitigation of Path Explosion
We evaluate how well piecewise composition mitigates the path
explosion problem. The number of paths extant in a design will not
change, but the amount of work the symbolic execution engine has to
do to realize a complete path is considerably smaller with piecewise
composition. For each design we compare the average number of
lines of code and branch points visited to find an assertion violation
both with and without piecewise composition. Table I has the results.
Piecewise composition reduces the number of lines of code visited
(i.e., reduces redundant visits to the same line of code) by 92%–99%
and branch points visited by 64%–99%.
To gain a more complete picture, we symbolically explore all paths
through one design. We used the MC68HC11 SPI, which is small
enough that symbolic execution without piecewise composition can
complete the exploration. This design has 13 always blocks and
1459 paths through the design. These results are reported in Table II.
Without piecewise composition more than 90k lines of code and more
than 7k branch points are explored. With piecewise composition, the
symbolic execution engine needs to explore roughly only 7% of those
90k lines of code and only 4% of those 7k branch points.
C. Effects of Optimizations
Figure 3 shows the impact of piecewise composition on the average
number of SMT queries and average time spent in the SMT solver
for each design. One concern might be that the win in minimizing
redundant explorations comes at the expense of exploding SMT
solver work. However, the opposite occurs. Reducing the number
of paths explored also reduces the number of queries to the solver
overall; remember that during exploration, the solver is queried at
each branch point. With piecewise composition turned on there was
an 18% decrease, on average, in the number of SMT queries and a
21% decrease in the amount of time spent solving.
In Table III we measure runtime for four cases: Baseline, with
no optimizations enabled; P.C, with piecewise composition enabled,
Repeat, with repeated modules explored only once; and COI, with
cone-of-influence analysis completed before exploration. Each case is
cumulative, for example, in the Repeat case the Parallel optimization
is enabled as well. For each design we take the average when looking
for each assertion. For all but the smallest design, Baseline could not
reliably complete exploration within 30 minutes at which point we
stopped searching. Table III shows the results. For each case, we
provide the absolute runtime in seconds and the decrease in runtime
compared to the prior case. Overall, the optimizations decrease the
engine’s runtime by 95-99%.
D. Finding Assertion Violations
To evaluate the engine’s ability to find assertion violations, we run
a set of experiments in which we have ground-truth knowledge of the
(minimum) number of violations in each design. From our dataset,
we had ground truth for two of the designs: the Hack@DAC SoC
(31 bugs) and the OR1200 processor core (30 bugs).
In these experiments, symbolic execution begins in the reset state
with all input signals made symbolic, and execution continues until
an assertion violation is found. Table IV summarizes the results.
The engine finds 24 of the 31 bugs in the Hack@DAC SoC. By
way of comparison, prior work reports finding 14 of the 31 bugs
using concolic execution [4] and the organizers of Hack@DAC report
finding 6 and 15 bugs using the commercial tools Cadence SPV and
Cadence FPV, respectively [18].
The engine finds 27 of the 30 bugs in the OR1200. Of the three
missed, one did not have a property that covered it. The second bug
was related to the correct instruction being executed and would allow
an attacker to carry out an ROP exploit by early kernel exit. The
third bug was related to control flow and will incorrectly set the link
register, which is used when the processor returns from function calls.
All counterexamples generated by our engine were successfully
replayed in simulation starting from the reset state using Vivado.
E. Comparison to Current State of the Art
Coppelia is a tool that first translates Verilog to C and then
uses a conventional symbolic execution, but with search strategies
optimized for hardware designs [3]. The authors report that most
(62%) of exploits in their experiments are generated within 15
minutes, and several are found within 2–4 hours. Symbolic execution
with piecewise composition, by contrast, finds the same exploits in
comparable designs (including the OR1200) in under 2 minutes. The
authors of RTLConTest [4], a concolic execution engine, report that it
takes around an hour and 40 minutes to complete on the PULpissimo
SoC, which is a modified version of the HACK@DAC 2018 design
that we used for our evaluation. Once they perform the concolic
execution and generate the tests, it takes 10 seconds on average to
produce a counterexample. For security properties targeting the same
bugs, our tool performs the complete end-to-end symbolic execution
workflow to generate counterexamples in 122 seconds, on average.
VII. R ELATED W ORK
Model Checking Current practice in hardware validation involves
a combination of simulation-based testing and static analysis tech-
niques like model checking. Model checking can formally verify that
a program satisfies a set of specifications, given in the form of a
temporal logic formula [24]. The general verification procedure is an
exhaustive search of the design space. In practice, bounded model
checking is used in which the verification explores the design for up
to k time steps [25]. Symbolic Trajectory Evaluation is a lattice-based
model checking technique developed and used by Intel [26], and
more recent work has brought this closer to the word-level [27]. The
goal of STE is to formally verify properties of a sequential system
 Design Baseline Piecewise Composition Percent Decrease
LoC branch points LoC branch points LoC branch points
explored explored explored explored explored explored
OR1200 54018 7803 881 45 98% 99%
Hack@DAC 493032 15093 3525 276 99% 98%
MC68HC11 SPI 2093 158 174 57 92% 64%
openMSP430 15293 377 489 68 97% 82%
CrypTech TRNG 8930 421 336 91 96% 78%

TABLE I: Average Impact of Piecewise Composition on Path Explosion

(a) Solver Time (b) SMT Queries

Fig. 3: Effects of Optimizations on Solver Time and Number of SMT Queries

Configuration LoC branch points paths
explored explored completed
Baseline 90706 7380 1459
Piecewise Composition 6783 323 1459
TABLE II: Full Exploration of MC68HC11 SPI Design
over bounded-length trajectories using a modified form of 3-valued
symbolic simulation [28]. SymbiYosys [8] is a model checking engine
built on top of Yosys that serves as an extension of Yosys [29] existing
property checking framework.
Symbolic and Concolic Execution
The use of symbolic execution and related techniques for RTL de-
signs is gaining traction. RTLConTest [4] and the work by Witharana
et al. [30] are examples of concolic testing engines developed for the
security verification of hardware designs. Coppelia [3] is a hardware-
oriented backward symbolic execution engine built on top of KLEE
for RTL designs translated to C++. EISec [39] also uses KLEE, but
for netlists translated to C++. All demonstrate the power of symbolic
execution as applied to hardware designs, but all still struggle with
the path explosion problem. Many of the techniques developed in
those papers can be combined with piecewise composition.
Fuzzing Fuzzing has also been shown to be a useful technique for
finding security vulnerabilities in SoCs and CPU designs. RFUZZ
is a coverage-directed fuzz tester for circuits that presents a hard-
ware specific coverage metric called mux control coverage [31].
DifuzzRTL is an RTL fuzzing tool used to find unknown security
bugs that measures coverage based on control registers rather than
multiplexors’ control signals to improve efficiency and scalability
[32]. A recently developed Hardware Fuzzing Pipeline translates the
RTL to a software model to improve scalability in bug finding via
fuzzing [33].
Information Flow Tracking In a hardware context, information
flow refers to the transfer of information between different signals.
Information flow tracking is a verification method that studies how
information flows through a hardware design to make statements
about security [34] [35]. A hardware design can be instrumented
with tracking logic to capture timing [36] or data flow information.
This method can provide strong security guarantees, for example,
demonstrating leakage of secret key data to undesired output signals.
VIII. C ONCLUSION
We have presented piecewise composition, a technique for coun-
tering the path explosion problem in symbolic execution. We im-
plemented a symbolic execution engine using the technique and
evaluated the engine on five open-source designs. The engine reduces
redundant work by 98%–99% compared to conventional symbolic
execution, improves overall performance and successfully finds as-
sertion violations.
IX. ACKNOWLEDGMENTS
This material is based upon work supported by the National
Science Foundation under Grant No. CNS-1816637, and by a Meta
Security Research Award.
R EFERENCES
[1] Claudionor Nunes Coelho and Harry D. Foster. Assertion-Based Verifi-
cation, pages 167–204. Springer US, Boston, MA, 2004.
[2] Lixiang Shen, Dejun Mu, Guo Cao, Maoyuan Qin, Jeremy Blackstone,
and Ryan Kastner. Symbolic execution based test-patterns generation
algorithm for hardware trojan detection. Comput. Secur., 78:267–280,
2018.
 Design Baseline Piecewise Redund COI Overall
runtime runtime % dec runtime % dec runtime % dec % dec
(sec) (sec) (sec) (sec)
OR1200 timeout (1800) 52.47 97.08% 37.56 21.31% 25.22 12.56% 98.60%
Hack@DAC timeout (1800) 174.24 90.32% 121.94 28.34% 81.83 16.62% 95.45%
MC68HC11 962 17.53 98.18% 14.30 19.93% 0.07 99.19% 99.99%
openMSP430 timeout (1800) 37.65 97.91% 23.14 38.55% 0.73 96.83% 99.96%
CrypTech TRNG timeout (1800) 14.92 99.17% 12.08 19.15% 0.09 99.19% 99.99%

TABLE III: Average Effect of Optimizations on Runtime

Design # Bugs # Bugs Avg Max
Found Time Clock
(sec) Cycles
Taken
Hack@DAC 31 24 122 4 [20] Matthew Hicks, Cynthia Sturton, Samuel T. King, and Jonathan M.
OR1200 31 27 34 5 Smith. Specs: A lightweight runtime mechanism for protecting software
TABLE IV: Known Bugs
[3] Rui Zhang, Calvin Deutschbein, Peng Huang, and Cynthia Sturton.
End-to-end automated exploit generation for validating the security of
processor designs. In Proceedings of the International Symposium on
Microarchitecture (MICRO). IEEE/ACM, 2018.
[4] Xingyu Meng, Shamik Kundu, Arun K. Kanuparthi, and Kanad Basu.
RTL-ConTest: Concolic testing on RTL for detecting security vulner-
abilities. IEEE Transactions on Computer-Aided Design of Integrated
Circuits and Systems, 41(3):466–477, 2022.
[5] Anish Athalye, M. Frans Kaashoek, and Nickolai Zeldovich. Verifying
hardware security modules with Information-Preserving refinement. In
OSDI. USENIX Association, 2022.
[6] R. Mukherjee, D. Kroening, and T. Melham. Hardware verification using
software analyzers. In 2015 IEEE Computer Society Annual Symposium
on VLSI, pages 7–12, 2015.
[7] Voss ii. https://github.com/TeamVoss/VossII. Accessed: 2022-11-21.
[8] Symbiyosys. https://github.com/YosysHQ/sby. Accessed: 2022-11-21.
[9] James C. King. Symbolic execution and program testing. Commun.
ACM, 19(7):385â C“394, July 1976.
[10] S. Krishnamoorthy, M. S. Hsiao, and L. Lingappan. Tackling the
path explosion problem in symbolic execution-driven test generation for
programs. In 2010 19th IEEE Asian Test Symposium, pages 59–64, 2010.
[11] Blayne Mayfield and Timothy Baird. STP. In Proceedings ACM,
SIGSMALL ’90, page 98–105, New York, NY, USA, 1990. Association
for Computing Machinery.
[12] Leonardo De Moura and Nikolaj Bjørner. Z3: An efficient smt solver. In
International conference on Tools and Algorithms for the Construction
and Analysis of Systems, pages 337–340. Springer, 2008.
[13] Cristian Cadar, Daniel Dunbar, Dawson R Engler, et al. Klee: unassisted
and automatic generation of high-coverage tests for complex systems
programs. In OSDI, volume 8, pages 209–224, 2008.
[14] Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David
Brumley. Unleashing mayhem on binary code. In Proceedings of
the 2012 IEEE Symposium on Security and Privacy, SP ’12, page
380â C“394, USA, 2012. IEEE Computer Society.
[15] Soomin Kim, Markus Faerevaag, Minkyu Jung, SeungIl Jung, DongYeop
Oh, JongHyup Lee, and Sang Kil Cha. Testing intermediate represen-
tations for binary analysis. In Proceedings of the 32nd IEEE/ACM
International Conference on Automated Software Engineering, ASE
2017, page 353–364. IEEE Press, 2017.
[16] Nusrat Farzana, Fahim Rahman, Mark Tehranipoor, and Farimah Farah-
mandi. SoC security verification using property checking. In 2019 IEEE
International Test Conference (ITC), pages 1–10, 2019.
[17] Nusrat Farzana, Farimah Farahmandi, and Mark Mohammad Tehra-
nipoor. SoC security properties and rules. IACR Cryptol. ePrint Arch.,
2021:1014, 2021.
[18] Hack@DAC 2018 SoC. https://github.com/seth-lab-tamu/hackdac-
2018-soc. Accessed: 2022-02-15.
[19] Ghada Dessouky, David Gens, Patrick Haney, Garrett Persyn, Arun
Kanuparthi, Hareesh Khattri, Jason M. Fung, Ahmad-Reza Sadeghi, and
Jeyavijayan Rajendran. HardFails: Insights into Software-Exploitable
hardware bugs. In USENIX ’19, pages 213–230, Santa Clara, CA, August
2019. USENIX Association.
from security-critical processor bugs. In ASPLOS, ASPLOS ’15, page
517–529, New York, NY, USA, 2015. ACM.
[21] Rui Zhang, Natalie Stanley, Christopher Griggs, Andrew Chi, and
Cynthia Sturton. Identifying security critical properties for the dynamic
verification of a processor. In ASPLOS, ASPLOS ’17, page 541–554,
New York, NY, USA, 2017. ACM.
[22] M. Bilzor, T. Huffmire, C. Irvine, and T. Levin. Security checkers:
Detecting processor malicious inclusions at runtime. In HOST, 2011.
[23] Rui Zhang and Cynthia Sturton. Transys: Leveraging common security
properties across hardware designs. In Proceedings of the Symposium
on Security and Privacy (S&P). IEEE, 2020.
[24] Edmund M. Clarke. Model checking. In S. Ramesh and G. Sivakumar,
editors, Foundations of Software Technology and Theoretical Computer
Science, pages 54–56, Berlin, Heidelberg, 1997. Springer Berlin Heidel-
berg.
[25] Edmund Clarke, Armin Biere, Richard Raimi, and Yunshan Zhu.
Bounded model checking using satisfiability solving. 19(1):7–34, 2001.
[26] Randal E. Bryant, Derek L. Beatty, and Carl-Johan H. Seger. Formal
hardware verification by symbolic ternary trajectory evaluation. In
ACM/IEEE DAC, 1991.
[27] Supratik Chakraborty, Zurab Khasidashvili, Carl-Johan H. Seger, Rajku-
mar Gajavelly, Tanmay Haldankar, Dinesh Chhatani, and Rakesh Mistry.
Symbolic trajectory evaluation for word-level verification: Theory and
implementation. Form. Methods Syst. Des., 50(2–3):317–352, June 2017.
[28] Koen Claessen and Jan-Willem Roorda. An introduction to symbolic
trajectory evaluation. In Marco Bernardo and Alessandro Cimatti,
editors, Formal Methods for Hardware Verification, pages 56–77, Berlin,
Heidelberg, 2006. Springer Berlin Heidelberg.
[29] Yosys. https://github.com/YosysHQ/Yosys. Accessed: 2022-11-21.
[30] Hasini Witharana, Yangdi Lyu, and Prabhat Mishra. Directed test
generation for activation of security assertions in RTL models. ACM
Trans. Des. Autom. Electron. Syst., 26(4), Jan 2021.
[31] Kevin Laeufer, Jack Koenig, Donggyu Kim, Jonathan Bachrach, and
Koushik Sen. Rfuzz: Coverage-directed fuzz testing of rtl on fpgas. In
ICAAD, pages 1–8, 2018.
[32] Jaewon Hur, Suhwan Song, Dongup Kwon, Eunjin Baek, Jangwoo Kim,
and Byoungyoung Lee. Difuzzrtl: Differential fuzz testing to find CPU
bugs. In 42nd IEEE S&P, pages 1286–1303. IEEE, 2021.
[33] Timothy Trippel, Kang G. Shin, Alex Chernyakhovsky, Garret Kelly,
Dominic Rizzo, and Matthew Hicks. Fuzzing hardware like software.
In USENIX ’22), pages 3237–3254, Boston, MA, August 2022. USENIX
Association.
[34] Armaiti Ardeshiricham, Wei Hu, Joshua Marxen, and Ryan Kastner.
Register transfer level information flow tracking for provably secure
hardware design. In DATE, pages 1691–1696, 2017.
[35] Wei Hu, Armaiti Ardeshiricham, Mustafa S Gobulukoglu, Xinmu Wang,
and Ryan Kastner. Property specific information flow analysis for
hardware security verification. In ICCAD, ICCAD ’18, New York, NY,
USA, 2018. Association for Computing Machinery.
[36] Armaiti Ardeshiricham, Wei Hu, and Ryan Kastner. Clepsydra: Mod-
eling timing flows in hardware designs. In ICCAD, pages 147–154,
2017.
[37] Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh
Jha, FIE on Firmware: Finding Vulnerabilities in Embedded Systems
Using Symbolic Execution In USENIX Security, pages 463–478,
Washington, DC, August 2013. USENIX Association
[38] Alfred Kolbl, James Kukula, Robert Damiano, Symbolic RTL Simula-
tion In DAC, 2001. IEEE.
[39] Farhaan Fowze, Muhtadi Choudhury, Domenic Forte, EISec: Exhaustive
Information Flow Security of Hardware Intellectual Property Utilizing
Symbolic Execution In AsianHOST, 2022. IEEE.